sagate.exe

What is it?
sagate.exe is a file associated with the W32.gaobot.BOW worm

What does it do?
W32.Gaobot.BOW is a network-aware worm that has backdoor capabilities and can be controlled through IRC channels

When W32.Gaobot.BOW is executed, it performs the following actions:

Copies itself as %System%sagate.exe.

Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).

Adds the value:

"Sagate Security Firewall" = "sagate.exe"

to the registry keys:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
RunServices

so that the W32.Gaobot.BOW runs when you start Windows.

Connects the backdoor component to the remote IRC server lud.b0b.org on TCP port 7000 and awaits commands from a remote attacker.

The backdoor allows the attacker to perform some of the following actions on the compromised system:

• Download and execute files
• Scan the network
• List, stop, and start processes
• Control the file system (Delete, create, and list files)
• Launch Denial of Service (DoS) attacks
• Perform port redirection
• Start a socks proxy
• Start an FTP server
• Retrieve Windows product keys

Opens three randomly selected TCP ports.

Overwrites bystem%driversetchosts with the following lines:

• 127.0.0.1 www.trendmicro.com
• 127.0.0.1 trendmicro.com
• 127.0.0.1 rads.mcafee.com
• 127.0.0.1 customer.symantec.com
• 127.0.0.1 liveupdate.symantec.com
• 127.0.0.1 us.mcafee.com
• 127.0.0.1 updates.symantec.com
• 127.0.0.1 update.symantec.com
• 127.0.0.1 www.nai.com
• 127.0.0.1 nai.com
• 127.0.0.1 secure.nai.com
• 127.0.0.1 dispatch.mcafee.com
• 127.0.0.1 download.mcafee.com
• 127.0.0.1 www.my-etrust.com
• 127.0.0.1 my-etrust.com
• 127.0.0.1 mast.mcafee.com
• 127.0.0.1 ca.com
• 127.0.0.1 www.ca.com
• 127.0.0.1 networkassociates.com
• 127.0.0.1 www.networkassociates.com
• 127.0.0.1 avp.com
• 127.0.0.1 www.kaspersky.com
• 127.0.0.1 www.avp.com
• 127.0.0.1 kaspersky.com
• 127.0.0.1 www.f-secure.com
• 127.0.0.1 f-secure.com
• 127.0.0.1 viruslist.com
• 127.0.0.1 www.viruslist.com
• 127.0.0.1 liveupdate.symantecliveupdate.com
• 127.0.0.1 mcafee.com
• 127.0.0.1 www.mcafee.com
• 127.0.0.1 sophos.com
• 127.0.0.1 www.sophos.com
• 127.0.0.1 symantec.com
• 127.0.0.1 securityresponse.symantec.com
• 127.0.0.1 www.symantec.com

Attempts to copy itself to the following shares on randomly generated IP addresses:

• admin$
• print$
• C$
• D$
• E$

using it's own list of user names and passwords

Sends HTTP GET messages to the following hosts (to measure connection speed):

• yahoo.co.jp
• www.nifty.com
• www.d1asia.com
• www.st.lib.keio.ac.jp
• www.lib.nthu.edu.tw
• www.above.net
• www.level3.com
• nitro.ucsc.edu
• www.burst.net
• www.cogentco.com
• www.rit.edu
• www.nocster.com
• www.verio.com
• www.stanford.edu
• www.xo.net
• de.yahoo.com
• www.belwue.de
• www.switch.ch
• www.1und1.de
• verio.fr
• www.utwente.nl
• www.schlund.net

Attempts to steal CD keys for a number of computer games

More info and Removal
@symantec